Bug 1054592 - (CVE-2014-0001) CVE-2014-0001 mysql: command-line tool buffer overflow via long server version string
CVE-2014-0001 mysql: command-line tool buffer overflow via long server versio...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140130,repor...
: Security
: 1063398 CVE-2014-2440 (view as bug list)
Depends On: 1054041 1055875 1055876 1055880 1055882 1055883 1055884 1056457 1059545 1059546
Blocks: 1054621 1088219
  Show dependency treegraph
 
Reported: 2014-01-17 00:39 EST by Garth Mollett
Modified: 2015-11-24 10:40 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-24 00:03:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed fix (654 bytes, patch)
2014-01-22 14:05 EST, Honza Horak
no flags Details | Diff

  None (edit)
Description Garth Mollett 2014-01-17 00:39:44 EST
The MySQL client in both MySQL and MariaDB contains a buffer overflow when reading the server version information.

This maybe exploited by connecting to a malicious/compromised db server or by a MITM and potentially allows execution of arbitrary code as the user running the client.
Comment 9 Honza Horak 2014-01-22 14:05:24 EST
Created attachment 854008 [details]
proposed fix

This fix is really simple, just check buffer size properly.
Comment 11 Tomas Hoger 2014-01-29 03:28:02 EST
Note that this issue affects mysql, the command-line tool / SQL shell, not the libmysqlclient library.
Comment 12 Huzaifa S. Sidhpurwala 2014-01-30 01:30:30 EST
This issue is now public via:

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/2502.565.64
Comment 13 Huzaifa S. Sidhpurwala 2014-01-30 01:31:40 EST
This issue affects the version of mysql55-mysql as shipped with Red Hat Enterprise Linux 5.

This issue affects the version of mysql as shipped with Red Hat Enterprise Linux 6.
Comment 15 Huzaifa S. Sidhpurwala 2014-01-30 01:35:48 EST
Created mariadb tracking bugs for this issue:

Affects: fedora-all [bug 1059546]
Comment 16 Huzaifa S. Sidhpurwala 2014-01-30 01:35:52 EST
Created community-mysql tracking bugs for this issue:

Affects: fedora-all [bug 1059545]
Comment 17 Murray McAllister 2014-02-04 17:43:16 EST
Acknowledgements:

This issue was discovered by Garth Mollett of the Red Hat Security Response Team.
Comment 18 Karel Volný 2014-02-10 10:54:15 EST
*** Bug 1063398 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2014-02-12 13:24:29 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0164 https://rhn.redhat.com/errata/RHSA-2014-0164.html
Comment 20 errata-xmlrpc 2014-02-13 13:38:08 EST
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0173 https://rhn.redhat.com/errata/RHSA-2014-0173.html
Comment 21 errata-xmlrpc 2014-02-18 12:57:07 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0186 https://rhn.redhat.com/errata/RHSA-2014-0186.html
Comment 22 errata-xmlrpc 2014-02-19 13:47:10 EST
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0189 https://rhn.redhat.com/errata/RHSA-2014-0189.html
Comment 23 Tomas Hoger 2014-05-09 04:15:08 EDT
MySQL upstream commit:
http://bazaar.launchpad.net/~mysql/mysql-server/5.5/revision/4601
Comment 24 Tomas Hoger 2014-05-13 13:23:03 EDT
This issue did not affect MySQL 5.0.  While those versions have the relevant sprintf() call, there's difference in the length of the version string returned by the server_version_string() function.

In versions before 5.1.34, buffer used to store server version string returned by server_version_string() was static with the length of 128.  The buffer glob_buffer to which sprintf prints the connection info was allocated to size of 512, hence sprintf could not overflow it and long version string presented by server would be printed truncted.

The server_version_string() function was changed in version 5.1.34 to avoid the problem with truncation of long version strings.  The function was modified to dynamically allocate buffer for the version string, possibly to be longer than glob_buffer size of 512.  Hence this security flaw was introduced.

Upstream bug, upstream commit, and release notes related to the server_version_string() change in 5.1.34 that introduced this issue:

http://bugs.mysql.com/bug.php?id=43153
http://bazaar.launchpad.net/~mysql/mysql-server/5.1/revision/2728.10.6
http://dev.mysql.com/doc/relnotes/mysql/5.1/en/news-5-1-34.html
Comment 25 Tomas Hoger 2014-09-12 05:18:47 EDT
*** Bug 1088197 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.